Fun with Check Point Licensing

Perhaps one of the more challenging aspects of FireWall-1 is licensing the product. Even those who have been selling and supporting FireWall-1 for a number of years tend to get tripped up by Check Point's licensing. Throughout the book, I will mention where specific licenses are needed to perform certain functions. In this section, I specifically discuss where license considerations come into play during the initial planning and installation.

The major components that require licensing are listed below:

Firewall module

Management console

Management GUI applications, that is, SMART Clients

A firewall module enforces your security policy and sends log information to a management console. This is typically referred to as the firewall. The management console is responsible for storing, compiling, and pushing the security policies out to the firewall modules. It also receives logging information from the firewall modules and processes alerts. The Management GUI applications allow you to view, edit, and install security policies; view logs; and see the status of all installed firewall modules. The Management GUIs communicate with the management console, which does all of the actual work.

With some exceptions, which I will note in the following sections, each of these components may exist on separate systems. You can even mix and match the platforms on which each of these components exist.[1] For example, you can have the firewall on a Nokia platform, the management console on Solaris, and the Management GUIs on Windows.

[1] In a High Availability configuration, each firewall in the cluster must be on the same platform.

Types of Licenses

In the following subsections, I describe the types of licenses you can get for FireWall-1.

Node-Limited Firewalls

Node-limited firewall licenses are restricted in terms of the number of IP addresses that can be behind the firewall. FireWall-1 listens for any IP-based traffic on all interfaces except for external one(s). When you define the gateway object within FireWall-1 that represents the gateway, you specify which interface(s) is/are external. Anytime it hears hosts talking to each other with an address on a nonexternal interface, it notes the IP addresses. Once FireWall-1 has heard n IPs (plus a 10% fudge factor), connections from the n+1 hosts generate e-mails to root and messages to syslog or the event viewer. When the license is exceeded by a large number of hosts on a busy network, FireWall-1 consumes itself with logging and mailing out messages about exceeding your license. In many cases, this causes the firewall to process traffic very slowly, if at all.

So what are the implications of how FireWall-1 enforces a node-limited license? Anything behind your firewall with an IP address will eventually be found out. This includes noncomputer components like printers, coffee makers,[2] and so on. Anything with an IP address that talks on your LAN will be heard, eventually. Also, machines with multiple IP addresses will most likely be counted more than once. Peripherals that do not use TCP/IP should not be counted. Machines that only use AppleTalk, IPX, NetBEUI, and so on should also not be counted. Because FireWall-1 only looks for IP traffic, it should safely ignore these machines.

[2] There's even an official Request for Comment (RFC) related to coffeepots connected to the Internet. See RFC2328 at http://www.faqs.org or another source for Internet RFCs.

Node-limited licenses are appropriate for use only where you can guarantee the number of hosts behind a single gateway. While it is trivial to fool the firewall into believing there are fewer hosts behind it than there are, Check Point's End User License Agreement forbids using any means to circumvent its licensing mechanisms. As stated in section 2.5 of the End User License Agreement that comes with FireWall-1 NG Feature Pack 3 (FP3):

The License permits the use of the Product in accordance with the designated number of IP addresses [...]. It is a violation of this End User License Agreement to create, set-up or design any hardware, software or system which alters the number of readable IP addresses presented to the Product with the intent, or resulting effect, of circumventing the Licensed Configuration.

In FireWall-1 4.1 and earlier, node-limited licensed gateways were permitted to have only a single external interface. In FireWall-1 NG, you can have more than one external interface defined. However, routing between external interfaces is not permitted.

Single-Gateway Products

A single-gateway product (also referred to as a firewall Internet gateway) is a node-limited firewall module bundled with a management console. This management console is only capable of managing a single-firewall module, and the firewall module must be installed on the same host as the management console. Because a single-gateway product includes a node-limited firewall license, it has the same restrictions as those stated in the previous section.

Secure Server (FireWall-1 Host)

One license type is designed to protect a single host. It has all the functionality of a standard firewall module except that it is not allowed to forward packets.

SMART Console and SMART Center (Management Console)

SMART Console in FireWall-1 NG with Application Intelligence[3] (NG AI) is the same thing as SMART Center in FireWall-1 NG FP3, which is Check Point's marketing name for the management console. If your single-gateway product does not include a management console, you need to obtain a separate license for the management console. You can install the management console on the same platform as the firewall. If you plan to manage multiple firewalls or use High Availability, having your management console on a different platform is recommended. For more information on remote management, see Chapter 7.

[3] NG AI is Feature Pack 4. Check Point decided to give it a spiffy new marketing name.

Motif GUI

A separate license is needed if you want to use the Management GUIs on any platform other than a Windows platform.[4] This is because Check Point must pay a licensing fee to the company that provides Check Point with the tool kit used to make the GUI for these platforms. These licenses were free for FireWall-1 4.0, but they require additional payment for FireWall-1 4.1 and later. The license is tied to the IP address or hostid of your management console and will be installed on your management console.

[4] If you use a copy of Crossover Office v2.1 or above, you can install and use the SmartConsole applications on Linux, albeit with a few minor glitches. For more information on Crossover Office, see http://www.codeweavers.com.

Check Point Express (Small-Office Products)

After the release of NG AI, Check Point decided to change how it sells products geared toward small-office environments. Check Point Express is targeted for companies with sites of 50 to 500 users, and it supports multiple sites. Essentially, anything you can get in an enterprise edition (which typically supports unlimited users) can be obtained in a Check Point Express version. Check Point Express runs on the same type of hardware that "normal" Check Point licenses run on, but Check Point Express supports a limited number of users and costs less. Check Point Express licenses require the use of NG AI with a special patch that enables the Check Point Express licensing (available at http://www.checkpoint.com/techsupport/express.html). NG AI R55 and later will support Check Point Express directly.

VPN-1 Embedded NG (Safe@ Products)

SofaWare is a wholly owned subsidiary of Check Point that makes security devices aimed more at the consumer market and priced accordingly. These are referred to as Safe@ appliances. The hardware devices are similar to a Linksys or D-Link home router in form factor and features, though the number of users supported is limited by license?five users at the low end, unlimited users on the higher-end hardware. These devices support most cable/DSL providers, using DHCP with dynamic addressing and PPP over Ethernet (PPPoE) support. They do not run Check Point FireWall-1 but rather what Check Point calls VPN-1 Embedded NG under a Linux operating system. The devices can be locally managed or can be integrated into an existing Check Point environment, supporting content security and VPN access (both client-to-site and site-to-site). NG FP3 and later include a management plug-in that allows limited management of these devices.

A number of companies sell platforms that run VPN-1 Embedded NG: VPN Dynamics (V4), Nokia (IP30 and IP40), Intrusion (PDS500), and Celestix (Orion series). Check Point sells its own version of these products under the VPN-1 Edge and SofaWare S-box labels.

SmartDirectory (LDAP Account Management)

If you plan to integrate FireWall-1 with a Lightweight Directory Access Protocol (LDAP) server (see Chapter 8 for details), you need to purchase an additional license for this feature.

VPN, SecuRemote, and SecureClient

All VPN functionality in FireWall-1, whether for site-to-site or client-to-site, requires additional licenses to be installed on the management and firewall modules. The software to support this functionality is included in the installation?the license activates that functionality. The SecureClient endpoints do not require licenses to be installed on them.

Getting Licenses

Each product you purchase will be given a certificate key. This certificate key, once registered at http://usercenter.checkpoint.com, can be used to obtain your permanent license key for your product. The actual process, if everything goes well, is very straightforward. Not only will you be given the license information on a Web page, you will also be sent e-mail with the same information. Save this e-mail and print the license page. You will need this information when installing the product. You will also need the certificate key when you upgrade at a later date because the same certificate key will be used for the updated product (provided you purchase a software subscription, which should be activated at the same time the product is licensed).

There are two types of licenses: local licenses (i.e., tied to the specific module) and central licenses (i.e., tied to the management console). Local licenses are the more traditional type that's been in use in FireWall-1 since the beginning. Central licenses are new in NG and allow you to easily move a license between modules without having to have the license reissued. Central licenses are tied to the management station, so if that gets moved, you will need new licenses. Central licenses are required for modules with a dynamic IP address.

There are two ways to license a FireWall-1 installation: on a hostid or on an IP address. The hostid is an ID number based on information burned onto the motherboard. Hostid-based licensing can occur only on SPARC Solaris because this hardware type actually supports this type of license. On AIX, you can use a hostid-based license, but the hostid of an AIX box is actually based on an IP address, so there is no point to doing so. Windows, Linux, and Nokia do not allow hostid-based licenses and can be licensed only by IP addresses. For central licenses, the IP or hostid to which the license must be generated is the management module. For a local license, you use the module's IP or hostid.

Licenses based on an IP address require that the IP address noted in the license be associated with an interface that is active when FireWall-1's kernel-loadable module loads at boot time. On a Solaris or Linux platform, the licensed IP address must be associated with the physical interface (i.e., it cannot be an interface alias).

It is relatively easy to get evaluation licenses to do the testing and even the initial deployment of your firewall. Your Check Point reseller can obtain an evaluation license for you. Also, with each "eval pack" (which contains a CD and some documentation), you get a certificate key that can be used to generate two 30-day evaluation licenses. Also, fresh installations of the software since NG FP2 also contain a 15-day embedded license that is activated when Secure Internal Communication (SIC) is initialized on the platform. This happens during the initial configuration.

In some cases, it has taken many months to get the correct permanent licenses, especially when upgrading from one version of FireWall-1 to the next, so do not be surprised if this happens to you. Unfortunately, there is no magic to this process. Making sure you have copies of your certificate keys and software subscription IDs helps tremendously but does not guarantee success in obtaining a permanent license quickly. Be prepared to work with both your Check Point reseller and Check Point itself to resolve licensing issues. If you find you must run a production firewall on an evaluation license, make sure that you request new evaluation licenses at least a week before you actually need them. It may take at least that long to hunt down another license you can use. The same is true with an upgrade of permanent licenses: Request the upgrade at least a week (or more) before you need them.

There are two kinds of evaluation licenses: those that are tied to an IP address or hostid and those that are not (which are sometimes called floating evals). Licenses of the latter type display the word eval where an IP address or hostid would be. Check Point does not generally distribute these licenses, though these licenses are still used within Check Point and occasionally make their way into the outside world. These licenses are good only for a limited period of time. They usually have a start date of some sort; if the system is dated before this time, the license will be invalid. As such, you cannot backdate your system to use one of these licenses indefinitely.

During the FireWall-1 3.0 time frame, Check Point changed to a system where evaluation licenses were tied to a specific IP or hostid, which is still in use today. The dirty little secret about these licenses was that they are actually permanent licenses that have an expiration date. It appeared that you can backdate the system to use these licenses. However, I am quite certain that this is against Check Point's Licensing Agreement.